Implications

It is well known that while FFIEC guidance, as expressed in its various publications, may not have the force of law or regulations, it serves as a blueprint for examiners to follow in conducting audits of your institution. Accordingly, if you fail to comply, you could fail an audit and therefore be prevented from entering new markets, introducing new products, or even merging with or acquiring another institution. For these reasons, it’s important for you to understand how to meet the requirements of FFIEC guidance when moving to the cloud.

“In light of the increasing volume and sophistication of cybersecurity threats, examiners should focus on cybersecurity preparedness in assessing the effectiveness of an institution’s overall information security program.”

The remainder of this post will describe how Threat Stack can help you provide and maintain robust security for your cloud infrastructure while also meeting the information security program requirements of the FFIEC Handbook.

Identifying Threats and Vulnerabilities

“To be effective, an information security program should have documented processes to identify threats and vulnerabilities continuously. Risk identification should produce groupings of threats, including significant cybersecurity threats.” [Emphasis added.]

Threat Stack’s Audit, Monitor, and Investigate can help FIs identify these threats and vulnerabilities.

Threat Identification

Communication between your cloud instances and a malicious host (e.g., botnet command and control server) can represent a significant cybersecurity threat. The Threat Stack Investigate solution includes Threat Intelligence rules that can alert you whenever an instance communicates with an IP address appearing on one of several open-source and commercial threat intelligence data feeds.

Infrastructure and Instance Vulnerability Scanning

Financial Institutions running their operations in the cloud can be exposed to vulnerabilities both in their cloud infrastructure (e.g., Amazon Web Services) as well as in individual instances (servers).

The Threat Stack Audit solution includes Configuration Auditing (aka Config Audit). This capability can help FIs operating in AWS identify infrastructure vulnerabilities and implement AWS security best practices and conform to Center for Internet Security (CIS) benchmarks by automatically auditing current environments. It provides an immediate, concise report of configurations that are non-compliant with best practices. We then offer steps to remediate vulnerabilities and make your AWS infrastructure more secure.

So while Config Audit helps identify and remediate AWS infrastructure vulnerabilities, our Monitor and Investigate solutions can perform vulnerability scans on instances (either on-premise or in the cloud) to help you identify vulnerabilities that exist in specific packages that are installed on any of your instances.

Risk Measurement

The Handbook recommends the use of threat analysis tools “to assist in understanding and supporting the measurement of information security-related risks” and to “deconstruct an event into stages, better understand the event, identify the most effective and efficient means of mitigating risk, and improve the information security program.” It cites as examples tools which can display a “chronological series of events in a system or activity,” as well as schemata that list software vulnerabilities such as Mitre Corporation’s Common Vulnerabilities and Exposures (“CVE”).

Threat Stack can support your the risk measurement process in several ways:

TTY Timeline

When a suspicious event occurs in a user’s session on an instance being monitored by Threat Stack, our Investigate package can recreate a “TTY Timeline”, essentially playing back all of the events that occurred in the session so that you can deconstruct the event, understand what occurred, identify the best way of mitigating risk, and implement changes to improve your information security program.

As explained above, Threat Stack’s Monitor and Investigate solutions can perform vulnerability scans on instances (either on-premise or in the cloud) to help you identify vulnerabilities that exist in specific packages that are installed on any of your instances. Any vulnerabilities identified include links to the relevant CVE to further assist you in measuring the extent to which it may represent a risk to your institution.

Risk Mitigation

“Once management has identified and measured the risks, it should develop and implement an appropriate plan to mitigate those risks. … Additionally, management should develop, maintain, and update a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments and provide updates to senior management and the board on cyber risk trends.”

The Threat Stack intrusion detection platform includes detective technology that can form important components of a layered control system that the Handbook recommends in order to mitigate information security and cybersecurity risks. These include a number of rule sets designed to alert on various types of cloud security incidents, including:

Threat Intelligence Rule Set— agent-based rules for monitoring inbound and outbound communications between instances and known bad IP addresses, including bot-net command and control servers, spamming servers, and other malicious hosts

When activity on an instance or in AWS triggers a rule, an alert is generated. For example:

The following summarizes important aspects of the recommended risk mitigation actions and the specific Threat Stack functionality that can help you meet these requirements:

Configurations should be monitored for unauthorized changes, and misconfigurations should be identified. Management can use automated solutions to help track, manage, and identify necessary corrections.

Config Audit can ensure compliance with best practices and identify misconfigurations in your AWS infrastructure.

Vulnerability scanning can help ensure that linux instances are free of known vulnerabilities (CVEs).

CloudTrail monitoring can alert you to configuration changes in your AWS account.

File Integrity Monitoring can alert you to unauthorized changes to system or configuration files.

Management should develop and maintain policies and procedures to identify, measure, mitigate, monitor, and report on significant security incidents to ensure the resilience of remote financial services.

Risk Monitoring and Reporting

“A process by which the institution tracks information about its inherent risk profile and identifies gaps in the effectiveness of risk mitigation activities. Risk monitoring should address changing threat conditions in both the institution and the greater financial industry. Threats change frequently, particularly in terms of the threat’s capabilities and intentions, as well as the vulnerabilities they may exploit. Vulnerabilities in software are continually announced, and other vulnerabilities may emerge as the institution’s systems are modified or updated.”

It describes risk reporting as:

“A process that produces information systems reports that address threats, capabilities, vulnerabilities, and inherent risk changes. Risk reporting should describe any information security events that the institution faces and the effectiveness of management’s response and resilience to those events.”

For financial institutions moving operations to the cloud, risk monitoring and reporting must occur both at the infrastructure and instance level. Fortunately, the Threat Stack intrusion detection platform has capabilities for monitoring and reporting on both of these aspects:

Compliance Reporting — An integral part of Threat Stack’s intrusion detection platform, which means you can receive daily reports on the status of internal controls and processes that address a number of key compliance requirements.

Final Words . . .

For financial institutions looking to move operations to the cloud, complying with FFIEC information security requirements need not present an insurmountable challenge. This post shows how the Threat Stack intrusion detection platform can help make your cloud security journey as smooth as possible.

We encourage you to explore additional Threat Stack features and, if you are interested in learning more about Threat Stack’s ability to help with compliance, please download a copy of our free Compliance Playbook for Cloud Infrastructure.